Unauthenticated access to private information via tinymce plugin

It is possible for unauthenticated users to retrieve information from a Confluence instance, including tables of contents and change histories for private pages, and lists of all attachments in a space, by making calls to the preview function of the macro REST API in the confluence-tinymce-plugin. This is effective even when the anonymous user does not have any permissions in Confluence.

While obtaining the table of contents or chage history of a private page is obviously less valuable to the attacker than retrieving the full content, it still represents a serious information leak.

Note that the issue arises from the fact that the preview function will invoke a macro of the caller’s choice against a page of the caller’s choice, and this is accessible to unauthenticated users. Certain macros have internal access control checks which prevent sensitive information from being leaked, but this is not true of all macros.

It is relatively easy to exploit this issue, given that information about a page can be obtained simply by specifying its numeric identifier in the request, so a brute-force attack could be designed to iterate through all possible identifiers and retrieve large amounts of information from an unauthenticated perspective.

The list of affected macros is: toc, change-history, attachments, space-attachments, listlabels, related-labels, popular-labels, recently-used-labels, and navmap.

The following example HTTP request will return the table of contents for a page, assuming the contentId parameter is set correctly. Note there is no session cookie in this request.

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: xxxx:8090
Content-Type: application/json; charset=utf-8
Content-Length: 70

{"contentId":"1507337","macro":{"name":"toc","body":"","params":{}}}